State of Software Security

700,000

scans analyzed for the report

2 Trillion

lines of code scanned over 12 months

22 Million

flaws found over 12 months

8.7 Million

flaws fixed over 12 months

What Does SOSS Mean For You?

Veracode presents volume 9 of the State of Software Security (SOSS) report, our comprehensive review of application testing data. This year’s SOSS report includes extensive analysis of the results from more than 700,000 application scans, analyzed for trends in vulnerability prevalence, remediation, industry performance, and more. We’ve also taken it one step further by introducing flaw persistence, which allows us to provide better visibility into the factors that go into fixing flaws. This year’s research shows that more than 70% of all flaws remain one month after discovery, and nearly 55% remain three months after discovery. Plus, we share evidence that DevSecOps unicorns do exist, and they’re fixing flaws 11.5x faster than the typical organization.

Read the report to gain valuable perspective on the state of software security today.

State of Software Security Vol. 9 by the Numbers

When it comes to the overall state of software security, there is still some room for improvement in AppSec. The rate of OWASP compliance declined for the third year in a row, with OWASP Top 10 initial scan pass rates only reaching 22.5%. What’s more, over 85% of all applications have at least one vulnerability in them; over 13% of applications have at least one very high severity flaw.

For more of the top takeaways from this year’s report, check out the infographic.

The DevSecOps Effect

There is a strong correlation between how many times an organization scans and how quickly they address their vulnerabilities. DevOps or Agile-driven development teams are scanning more often, and as a result, they are making incremental improvements every time they test. As you can see in the figure to the right, once organizations hit 300 or more scans per year – the true territory of DevSecOps unicorns – they are seeing the fix velocity going into overdrive.

Flaw Remediation and Mitigation Are the Ultimate AppSec Objectives

This year, we partnered with the data science team at Cyentia Institute to bring you the first-ever look at flaw persistence. This helps us to look at vulnerability fix behavior, and break down how different variables like flaw type, severity, app criticality, and rate of scanning impact the fix velocity and, conversely, the persistence of flaws once they've been discovered.

Severity Flaw Persistence Analysis

Flaw Persistence Analysis by Criticality and Severity

Flaw Persistence Analysis of Common Flaws

Open Source Components Remain a Risk

In SOSS Vol. 9, we took another look at the security of open source software, and we found that enterprises are still struggling with the occurrence of vulnerable open source components within their software. For example, last year about 88% of Java applications had at least one vulnerability in a component, this year that figure dipped down only marginally to 87.5%.

Industry View: Retail

In the State of Software Security Volume 9, Veracode’s scan data shows that retail organizations saw an improvement of nearly 12% in OWASP latest-scan pass rates over last year. What’s more, retail organizations are quick to fix their flaws – a great sign that the industry’s AppSec programs are continuing to mature.

State of Software Security Volume 9

Flaw Persistence by Industry: Manufacturing

Flaw Persistence by Industry: Retail

Flaw Persistence by Industry: Technology

Advance Your Organization’s Application Security Program

The speed at which organizations fix flaws they discover in their code directly mirrors the level of risk incurred by applications. The faster organizations close vulnerabilities, the less risk software poses over time. But the sheer volume of open flaws within applications means that your development teams need to find effective ways to prioritize which flaws they fix first. While many organizations are doing a good job prioritizing by flaw severity, the data this year shows that they're not effectively considering other risk factors such as the criticality of the application or exploitability of flaws.

State of Software Security

Cookie Use

We use cookies to collect information to help us personalise your experience and improve the functionality and performance of our site. By continuing to use our site [without first changing your browser setting], you consent to our use of cookies. For more information see our cookies policy.

Veracode is a leading provider of enterprise-class application security, seamlessly integrating agile security solutions for organizations around the globe. In addition to application security services and secure devops services, Veracode provides a full security assessment to ensure your website and applications are secure, and ensures full enterprise data protection. Application protection services from Veracode include white box testing, and mobile application security testing, with customized solutions that eliminate vulnerabilities at all points along the development life cycle.

*Gartner Peer Insights reviews constitute the subjective opinions of individual end users based on their own experiences and do not represent the views of Gartner or its affiliates.

**Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.